Permission Denied in php file read when file owner is not apache

[snehu]

I am using apache web server on linux. I am using PHP for web designing. On web server, i want to show the configuration data by reading the ini file. I am creating this ini file from one php code itself. If this php code i run through linux terminal, the file is created with file and group owner as root.(i am having sudo rights on machine) Then if i try to read the ini file from my apache web server, it gives warning as failed to open stream: permission denied. I have tried changing the owner, and permissions to 777 of the file. Still it is not readable.

On the other hand, if i run the php code of ini file creation through web server, ini file is created with file and group owner as apche. and web server is able to read/ write the file.

But i want to create that file from root or some other user and later read/written by apache.

How to give this access permission?

[requinix]

root is for privileged access to resources. You shouldn't be using it to create files for your website, and certainly not files that are supposed to be read and written to by the site.

 

Do you have safe_mode enabled?

[snehu]

 The file which is read by web server is a configuration file. This file contains the system configuration data set at that point of time. So it will be written by another algorithm. And web server gives the permission to update the configuration settings to the user. So apache web server need both read and write permission to the file whose owner is different. Read - to read at start system settings

Write - to update the setting as per user requirement.

Where can i find safe mode?

[requinix]

The file which is read by web server is a configuration file. This file contains the system configuration data set at that point of time. So it will be written by another algorithm. And web server gives the permission to update the configuration settings to the user. So apache web server need both read and write permission to the file whose owner is different. Read - to read at start system settings

Write - to update the setting as per user requirement.

That's fine. Go ahead and do that. But don't make the file be owned by root.

 

Where can i find safe mode?

safe_mode is a PHP setting so check phpinfo(), ini_get(), or your php.ini.

[CroNiX]

Log in as the webuser, not root (or sudo). Or have PHP create the file which should automatically have the correct permissions.

[sKunKbad]

You might also consider using setgid on the directory. Something like:

 

sudo chgrp www-data /path/to/dir

sudo chmod g+s /path/to/dir

 

This should enforce that all files created in the directory inherit the www-data group. setgid on directories is often essential (as in the case of using git), so you should read up on it.

[jazzman1]

sKunKbad, why the apache user gets the message of permission denied when it / he tries to open the file in his own directory? 

[root@lxc dummy]# ls -ld /home/dummy/http/
drwxr-xr-x. 2 apache apache 4096 Sep 16 20:34 /home/dummy/http/
[root@lxc dummy]# ls -l /home/dummy/http/test.php 
-rwxr-xr-x. 1 apache apache 202 Sep 16 20:34 /home/dummy/http/test.php
[root@lxc dummy]# su -l apache -s /bin/bash 
-bash-4.1$whoami
apache
-bash-4.1$ ls -ld /home/dummy/http 
ls: cannot access /home/dummy/http: Permission denied
-bash-4.1$ php -f /home/dummy/http/test.php
Could not open input file: /home/dummy/http/test.php

Edited September 17, 2014 by jazzman1

[sKunKbad]

sKunKbad, why the apache user gets the message of permission denied when it / he tries to open the file in his own directory? 

 

[root@lxc dummy]# ls -ld /home/dummy/http/
drwxr-xr-x. 2 apache apache 4096 Sep 16 20:34 /home/dummy/http/
[root@lxc dummy]# ls -l /home/dummy/http/test.php 
-rwxr-xr-x. 1 apache apache 202 Sep 16 20:34 /home/dummy/http/test.php
[root@lxc dummy]# su -l apache -s /bin/bash 
-bash-4.1$whoami
apache
-bash-4.1$ ls -ld /home/dummy/http 
ls: cannot access /home/dummy/http: Permission denied
-bash-4.1$ php -f /home/dummy/http/test.php
Could not open input file: /home/dummy/http/test.php

Probably parent directory not owned by Apache, or parent directory not applied to a group where Apache is member, combined with permission like drwx------. Yes?

[snehu]

Hi sKunKbad, I have created file as normal user(not root) and given permissions g+s as suggested by you. But still the same problem.

Then i created the file with sudo user as root and then done setgid and changed group to apache. But i am not able to read the file in web server. File is located in /var/tmp folder. And my apache root directory is /var/www/html. My php code of reading the file is in root directory folder.

 

Hi requinix, I have not found safe mode of php in php.ini. Does safe mode will impact the operation?

[jazzman1]

Yes sKunKbad, that was the issue here, but in fact that we can apply some additional security added by SELinux, so although DAC rules allowed "ls -ld" process access this directory ~/http, SELinux policy would denied access to it. We never know what could be a problem without providing some additional information. Most of the users coming to the forums said - Hey, I added permissions to 777 to the dir / file, but it still do not have permission on it

 

@snehu, do you have an access to apache error_log file? What distro is that? I suspect is RedHat based.

[sKunKbad]

Linux/Unix type permissions are full of little things to learn. I'll be honest and state that I do not consider myself to have a complete understanding of them. I do have great interest in this subject. I have some permission related questions of my own, but those would be for another thread.